Systems and methods for managing a network

ABSTRACT

A method of managing a network. The method includes receiving an activation key transmitted from a device connected to the network, automatically transmitting a configuration to the device, automatically maintaining the configuration of the device, and receiving log information from the device.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a divisional application of co-pending U.S. patentapplication Ser. No. 11/106,837 filed Apr. 15, 2005, which claims thebenefit under 35 U.S.C. §119(e) to U.S. Provisional Patent ApplicationSer. No. 60/562,596 filed on Apr. 15, 2004, the disclosure of which isincorporated herein by reference.

BACKGROUND

This application discloses an invention that is related, generally andin various embodiments, to systems and methods for managing a network.

Some network environments provide companies with critical informationtechnology (IT) services for installing, connecting, managing andsecuring their network environment. However, traditional networkimplementations have required that network infrastructure capable ofsupporting computer applications be assembled using disparate hardware,software and systems that must be manually configured and managed. As aresult, these traditional network implementations have been utilizedprimarily by large enterprises with large information technology (IT)budgets.

Small and medium businesses (SMBs) represent the majority of businesses,and their network management and security needs are no less criticalthat that of larger enterprises. However, due to budgetary andtechnological constraints, traditional secure network managementsystems, services, and elements are usually not a viable option forSMBs. Most SMBs lack the necessary IT staff and budget resources toeffectively manage secure network environments that may be leveraged todeploy distributed applications that run on these networks and makethose businesses more competitive.

SUMMARY

In one general respect, this application discloses a method of managinga network. According to various embodiments, the method includesreceiving an activation key automatically transmitted from a deviceconnected to the network, automatically transmitting a configuration tothe device, automatically maintaining the configuration of the device,and receiving log information from the device.

According to various embodiments, the method includes automaticallysetting a default configuration for the device, automatically generatingan activation key associated with a device, and automaticallytransmitting a provisioned configuration to the device after the deviceis connected to the network.

According to various embodiments, the method includes periodicallypolling a device connected to the network, automatically determiningwhether a configuration of the device is current, automatically settinga new configuration for the device when the configuration is notcurrent, and automatically transmitting the new configuration to thedevice.

According to various embodiments, the method includes receiving networktraffic information from a device connected to the network,automatically correlating the information, and automatically determiningnetwork performance based on the information.

According to various embodiments, the method includes receivingcredentials associated with a remote access user, automaticallyvalidating the credentials, automatically determining which devicesconnected to the network the remote access user is authorized to connectto, and automatically transmitting to a remote access client a list ofdevices the remote access user is authorized to connect to.

In another general respect, this application discloses a system formanaging a network. According to various embodiments, the systemincludes a device connected to the network and a management center incommunication with the device via the Internet. The device includes aprocessor and a memory. The management center includes a first modulefor provisioning a configuration of the device, a second module forautomatically transmitting the configuration to the device, and a thirdmodule for automatically maintaining the configuration of the device.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates various embodiments of a system for managing anetwork;

FIG. 2 illustrates various embodiments of a device;

FIG. 3 illustrates various embodiments of the device;

FIG. 4 illustrates various embodiments of the device;

FIG. 5 illustrates various embodiments of a management center;

FIG. 6 illustrates various embodiments of a server;

FIG. 7 illustrates various embodiments of a server;

FIG. 8 illustrates various embodiments of a server;

FIG. 9 illustrates various embodiments of a web-based management portal;

FIG. 10 illustrates various embodiments of a method of managing anetwork;

FIG. 11 illustrates various embodiments of a method of managing anetwork;

FIG. 12 illustrates various embodiments of a method of managing anetwork;

FIG. 13 illustrates various embodiments of a method of managing anetwork; and

FIG. 14 illustrates various embodiments of a method of managing anetwork.

DETAILED DESCRIPTION

The systems and methods described herein may be utilized to provide forthe automated delivery of managed services. It is to be understood thatthe figures and descriptions of the disclosed invention have beensimplified to illustrate elements that are relevant for a clearunderstanding of the invention, while eliminating, for purposes ofclarity, other elements. Those of ordinary skill in the art willrecognize, however, that these and other elements may be desirable.However, because such elements are well known in the art, and becausethey do not facilitate a better understanding of the invention, adiscussion of such elements is not provided herein.

FIG. 1 illustrates various embodiments of a system 10 for managing anetwork. The system 10 may be utilized to provide a company withcritical information technology (IT) services for installing,connecting, managing and securing their network environment withouthaving to rely on several discrete systems.

According to various embodiments, the system 10 includes a managementcenter 12 and at least one device 14 in communication with themanagement center 12 via the Internet 16. Although only three devices 14are shown in FIG. 1, the system 10 may include any number of devices 14in communication with the management center 12 via the Internet 16. Eachdevice 14 may be located at a different customer location, and eachdevice 14 may be connected to a different local area network 18.

FIGS. 2-4 illustrate various embodiments of the device 14 of FIG. 1. Asshown in FIG. 2, the device 14 includes a processor 20 and a memory 22.According to various embodiments, the device 14 may also include a firstfast ethernet port 24, a second fast ethernet port 26, and a third fastethernet port 28. As shown in FIG. 3, the device 14 may be connected toa local area network 18 via the first fast ethernet port 24, to aservice provider wide area network 30 via the second fast ethernet port26, and to a demilitarized zone 32 via the third fast ethernet port 28.The device 14 may serve to act as a security device to protect the localarea network 18 and the demilitarized zone 32 from outside threatsoriginating from the wide area network 30. According to variousembodiments, in lieu of being connected to the demilitarized zone 32 viathe third fast ethernet port 28, the device 14 may be connected to aredundant wide area network (not shown) via the third fast ethernet port28.

The local area network 18 may include network elements such as, forexample, an ethernet switch 34, a computer 36, a wireless access point38, a printer 40, a file server 42 and any other network elements knownby those skilled in the art to comprise a portion of a local areanetwork. The demilitarized zone 32 may include network elements such as,for example, an ethernet switch 44, an e-mail server 46, a web server 48and any other network elements known by those skilled in the art tocomprise a portion of a demilitarized zone.

As shown in FIG. 4, the device 14 may include a Linux based operatingsystem and the following modules: an auto-provisioning module 50, anauto-update module 52, a firewall module 54, an intrusion preventionmodule 56, an anti-virus module 58, a content filtering module 60, ananti-spam module 62, a VPN module 64, a DHCP server module 66, adistributed network management poller module 68, an inline networkperformance monitoring module 70, a logger module 72, a remote accessserver module 74, an IP and network interface module 76, a QOS module78, and a VLAN module 80.

The auto-provisioning module 50 of the device 14 is operable to providethe device 14 with auto-provisioning functionality. For example,according to various embodiments, the auto-provisioning module 50 allowsfor the device 14 to be auto-configured based on an activation codeentered by an installer during installation of the device 14 at acustomer location.

The auto-update module 52 of the device 14 is operable to provide thedevice 14 with auto-update functionality. For example, according tovarious embodiments, the auto-update module 52 allows for the device 14to be automatically updated whenever updates to the device 14 areavailable. The updates may include, for example, operating systemupdates, intrusion prevention rule updates, anti-virus signatureupdates, and content filtering database updates.

The firewall module 54 of the device 14 is operable to provide thedevice 14 with firewall functionality. For example, according to variousembodiments, the firewall module 54 allows for the device 14 to performdeep packet inspection, stateful inspection, network addresstranslation, port address translation and port forwarding.

The intrusion prevention module 56 of the device 14 is operable toprovide the device 14 with intrusion prevention functionality. Forexample, according to various embodiments, the intrusion preventionmodule 56 allows for the device 14 to perform real-time traffic analysisand logging, protocol analysis, and content searching and matching. Theintrusion prevention module 56 may also allow for the device 14 todetect a variety of attacks and probes such as, for example, bufferoverflows, operating system fingerprinting attempts, common gatewayinterface attacks and port scans.

The anti-virus module 58 of the device 14 is operable to provide thedevice 14 with anti-virus functionality. For example, according tovarious embodiments, the anti-virus module 58 of the device 14 allowsfor the device 14 to provide an Internet gateway protection service thatprotects against viruses and malicious code that may be downloaded fromthe Internet 16 to the local area network 18. According to variousembodiments, the anti-virus module 58 of the device 14 allows for theintegration of the device 14 and an anti-virus client installed on oneor more devices that comprise a portion of the local area network 18.The anti-virus module 58 allows for the device 14 to block access to theInternet 16 for any device of the local area network 18 that does nothave the most current anti-virus client and anti-virus signaturedatabase installed thereon. The anti-virus module 58 of the device 14may redirect such blocked devices to a webpage that will allow for thedevice to be updated to include the most current anti-virus client andanti-virus signature database.

The content filtering module 60 of the device 14 is operable to providethe device 14 with content filtering functionality. For example,according to various embodiments, the content filtering module 60 of thedevice 14 allows for the device 14 to act as a transparent proxy whichinspects each request made from the local area network 18 to theInternet 16. The content filtering module 60 may determine whether togrant or deny the request to access a particular website based ondefined policies. For instances where the request is granted, thecontent filtering module 60 may further determine which types of filesare allowed to be downloaded from the Internet 16 to the local areanetwork 18. According to various embodiments, each policy may be definedas a blacklist or a whitelist. If the policy is defined as a blacklist,the content filtering module 60 operates to allow access to all sitesexcept those explicitly defined to be blocked. If the policy is definedas a whitelist, the content filtering module 60 operates to block accessto all sites except those explicitly defined to be allowed.

The anti-spam module 62 is operable to provide the device 14 withanti-spam and e-mail anti-virus functionality. For example, according tovarious embodiments, the anti-spam module 62 of the device 14 allows forthe device 14 to act as a transparent proxy which inspects each e-mailmessage that transits the device 14 for viruses and malicious code. Ifthe anti-spam module 62 identifies an e-mail as SPAM, the device 14 mayblock the e-mail. If the anti-spam module 62 identifies an e-mail ascontaining a virus, the device 14 may attempt to disinfect the e-mail.If the e-mail is cleaned, the device 14 may forward the cleaned e-mailalong with a message that the e-mail contained a virus. If it is notpossible to disinfect the e-mail, the device 14 may block the e-mail.

The VPN module 64 of the device 14 is operable to provide the device 14with VPN functionality. For example, according to various embodiments,the VPN module 64 provides the encryption protocol for the automaticbuilding of a site to site VPN which is implemented as a secure tunnelthat connects two different devices 14. A secure socket layer (SSL) isused to create the encrypted tunnel between the two devices 14. Ininstances where a device 14 is assigned a new WAN IP Address, the VPNmodule 64 allows for all of the tunnels connecting the device 14 toother devices 14 to automatically reconfigure themselves to establishnew tunnels to the device 14 at the new IP Address. According to variousembodiments, the VPN module 64 of the device 14 allows for thecooperation of the device 14 and a remote access client.

The DHCP server module 66 of the device 14 is operable to provide thedevice 14 with DHCP server functionality. For example, according tovarious embodiments, the DHCP server module 66 allows the device 14 toprovide IP addresses and configuration parameters to network devicesrequesting this information using the DHCP protocol. IP address poolswith characteristics such as default gateways, domain names, and DNSservers can be defined. Static assignments can also be defined based onMAC address.

The distributed network management poller module 68 of the device 14 isoperable to provide the device 14 with distributed network managementpoller functionality For example, according to various embodiments, thedistributed network management poller module 68 allows the device 14 topoll network elements that comprise a portion of a local area network 18and are in communication with the device 14. For example, thedistributed network management poller module 68 may utilize Internetcontrol message protocol pings to determine a reachability value and alatency value for one or more of the network elements. The distributednetwork management poller module 68 may also utilize simple networkmanagement protocol (SNMP) to poll SNMP information from networkelements that are SNMP capable. Such SNMP information may include, forexample, CPU utilization or server temperature.

The inline network performance monitoring module 70 of the device 14 isoperable to provide the device 14 with inline network performancemonitoring functionality. For example, according to various embodiments,the inline network performance monitoring module 70 allows the device 14to inspect each packet that transits the device 14 and record certaininformation such as source/destination IP address, protocol, andsource/destination ports.

According to various embodiments, the inline network performancemonitoring module 70 also allows the device 14 to monitor all networktraffic that passes between the device 14 and another device 14. Eachdevice 14 has its time synchronized precisely to network time protocolservers (not shown). This allows for each device 14 to reference packetinformation with a common time reference. According to variousembodiments, the inline network performance monitoring module 70 canrecord the exact time every packet leaves a device 14, and record itemssuch as, for example, source/destination IP address, protocol, sequencenumber and source/destination port. As the packets travel across theInternet 16, the packets eventually reach the destination device 14. Theinline network performance monitoring module 70 of the destinationdevice 14 records the exact time the packet is received by thedestination device 14 and items such as, for example, source/destinationIP address, protocol, sequence number and source/destination port.

The logger module 72 of the device 14 is operable to provide the device14 with logging functionality. For example, according to variousembodiments, the logger module 72 allows information obtained by thedevice 14 (e.g., intrusion prevention detections, anti-virus detections,network device polling results, source/destination IP addresses,application performance measurements, etc.) to be recorded, processedand transmitted to the management center 12. According to variousembodiments, the data collected by the inline network managementmonitoring module 70 of each device 14 is forwarded to the logger module72 of the associated device 14. After receiving the data, the loggermodules 72 wait a random amount of time (e.g., between approximately 120and 240 seconds) before transmitting the data to the management center12. This random delay is to prevent all the devices 14 from sendingtheir data back to the management center 12 at the same time. If themanagement center 12 cannot be reached, the device 14 may queue the datalocally until the management center 12 can be reached. When themanagement center 12 is reached, the logger module 72 will transmit allof the queued data. The data that is transmitted uses a system queuewhich insures that regular user network traffic will always havepriority and this data transfer will only use the unused bandwidth onthe network connection.

The remote access server module 74 of the device 14 is operable toprovide the device 14 with remote access capability. For example,according to various embodiments, the remote access server module 74allows for the cooperation of the device 14 with a remote access client.

The IP and network interface module 76 is operable to provide the device14 with the capability to configure the network interfacecharacteristics such as IP Address type (e.g., static IP, DHCP, orPPPOE), IP address, subnet mask, speed and duplex. The IP and networkinterface module 76 is also operable to provide the device 14 with thecapability to configure IP routing.

The QOS module 78 of the device 14 is operable to provide the device 14with QOS functionality. For example, according to various embodiments,the QOS module 78 allows the device 14 to selectively transmit packetsbased on the relative importance of the packet. The QOS module 48 mayalso allow the device 14 to inspect each packet and determine aparticular queue to send the packet to based on defined rules. Rules maybe defined, for example, based on source/destination IP address and/orport information. If a packet does not match any rule, it may be sent toa default queue.

The VLAN module 80 of the device 14 is operable to provide the device 14with VLAN functionality. For example, according to various embodiments,the first and third fast Ethernet ports 24, 28 of the device 14 that areconnected to the local area network 18 and the demilitarized zone 32 maybe configured as 802.1q trunk ports. The VLAN module 80 allows thedevice 14 to connect to many different VLANS from an Ethernet switchthat has enabled trunking.

According to various embodiments, the device 14 may also automaticallytransmit performance information to the management center 12. Theperformance information may include, for example, a CPU utilizationvalue for the device 14, a memory utilization value for the device 14,and a network interface bandwidth utilization value for the device 14.The performance data may also include, for example, the informationobtained by the distributed network management poller module 68 of thedevice 14.

FIG. 5 illustrates various embodiments of the management center 12 ofFIG. 1. The management center 12 includes a database cluster 82, anactivation server 84, a logger server 86, a manager server 88 and aweb-based management portal 90. The management center 12 is locatedexternal to any customer sites and may provide a shared infrastructurefor multiple customers. According to various embodiments, the databasecluster 82 includes a plurality of databases and structural querylanguage (SQL) servers. According to various embodiments, the databasecluster 82 includes a combination of structural query language serversand open source MySQL servers. The databases hold all of the datarequired by the activation server 84, the logger server 86, the managerserver 88 and the web-based management portal 90.

FIG. 6 illustrates various embodiments of the activation server 84. Theactivation server 84 may include a Linux based operating system, and mayinclude an auto-provisioning manager module 92, an auto-update managermodule 94 and an activation manager module 96. The auto-provisioningmanager module 92 is operable to configure any device 14 that is in theprocess of being activated. The auto-update manager module 94 isoperable to update the operating system of any device 14 that is in theprocess of being activated. The auto-update manager module 94 is alsooperable to update the various databases and signature files used byapplications resident on the device 14 (e.g., intrusion prevention,anti-virus, content filtering). The activation manager module 96 isoperable to communicate with the back-end SQL servers of the databasecluster 82 to gather the necessary data required by theauto-provisioning manager module 92 to generate device configurations.The activation manager module 96 is also operable to authenticateincoming devices 14 and determine their identity based on the activationkey.

According to various embodiments, the activation server 84 is acollection of hosted servers that are utilized to set up the initialconfiguration of each device 14. Based on an activation key receivedfrom the device 14 when the device 14 is first installed, the activationserver 84 automatically sends the appropriate configuration to thedevice 14. The activation server 84 also assigns the device 14 to aredundant pair of logger servers 86 and a redundant pair of managerservers 88.

FIG. 7 illustrates various embodiments of the logger server 86. Thelogger server 86 may include a Linux based operating system and a loggerserver module 98. According to various embodiments, the logger server 86is a collection of hosted servers that receive log information from thedevices 14 and correlates the information.

FIG. 8 illustrates various embodiments of the manager server 88. Themanager server 88 may include a Linux based operating system and thefollowing modules: an auto-provisioning manager module 100, anauto-update manager module 102, a firewall configuration manager module104, an intrusion prevention configuration manager module 106, ananti-virus configuration manager module 108, a content filteringconfiguration manager module 110, an anti-spam configuration managermodule 112, a VPN configuration manager module 114, a DCHP serverconfiguration manager module 116, a network management monitor module118, a distributed network management configuration manager module 120,an inline network management configuration manager module 122, an IP andnetwork interface configuration manager 124, a VLAN configurationmanager module 126, a QOS configuration manager module 128, a loggerconfiguration manager module 130, a remote access configuration managermodule 132, and a network graph generator module 134.

According to various embodiments, the manager server 88 is a collectionof servers that are utilized to manage the devices 14. The managerserver 88 transmits the configuration and the updates to the device 14.The manager server 88 also monitors the device 14, stores performancedata, and generates graphs for each device 14 and each network elementmonitored by the device 14. For example, the auto-update manager module102 may periodically poll each device 14 and determines whether eachdevice 14 has the most current version of the device operating system,the anti-virus signature database, the content filtering database andthe intrusion protection database. If the auto-update manager module 102determines that a particular device 14 does not have the most currentversion of the operating system and databases, the auto-update managermodule 102 operate to will automatically transmit the appropriate updateto the device 14.

The VPN configuration manager module 114 may automatically configure theVPN tunnels for each device 14. When the particular device 14 is firstactivated, the device 14 contacts the manager server 88 and reports itspublic Internet address. The auto-provisioning manager module 100records the reported address and stores it in the database cluster 82.The VPN configuration manager module 114 may also gather all of the VPNconfiguration information from the database cluster 82 for each device14 that is provisioned to have a VPN connection to the particular device14. The VPN configuration manager module 114 may also createconfiguration files for each of the devices 14. After the manager server88 transmits the configurations to each of the devices 14, secureencrypted tunnels are established between each of the devices 14.

When a particular device 14 is issued a new IP address, the device 14automatically transmits its new LP address to the manager server 88. Theauto-update manager module 102 responds to this IP address change andautomatically generates new configurations for all of the devices 14that have tunnels to the particular device 14. The VPN configurationmanager module 114 automatically transmits the new configurations to thedevices 14 and the encrypted tunnels automatically reconverge.

FIG. 9 illustrates various embodiments of the web-based managementportal 90. The web-based management portal 90 may include a Windows orLinux based operating system and the following modules: a firewallconfiguration tool module 136, an intrusion prevention configurationtool module 138, an anti-virus configuration tool module 140, a contentfiltering configuration tool module 142, an anti-spam configuration toolmodule 144, a VPN configuration tool module 146, a DHCP serverconfiguration tool module 148, a network monitoring configuration toolmodule 150, an IP and network interface configuration tool module 152, aVLAN configuration tool module 154, a QOS configuration tool module 156,a logger configuration tool module 158, a remote access configurationtool module 160, a global status maps and site views module 162 and auser administration tool module 164.

According to various embodiments, the web-based management portal 90includes a collection of integrated centralized network managementsystems and a grouping of customer management tools. According tovarious embodiments, the web-based management portal 90 is a combinationof many different web servers running Microsoft Internet InformationServer or Apache. The web pages may be written in Microsoft's ASP.NET orPHP, and the web applications may interface with the SQL servers of thedatabase cluster 82 to synchronize changes to the network environment aschanges are made to the configuration of the devices 14 via theweb-based management portal 90. The web-based management portal 90 mayfurther include the capability for firewall management, intrusionprevention management, anti-virus management, content filteringmanagement, anti-spam management, site to site and remote access virtualprivate network management, network monitoring, network configuration,account management and trouble ticketing.

The firewall configuration tool module 136 allows for centralizedmanagement of the firewall policies for each device 14. According tovarious embodiments, the firewall for a given local area network 18resides on the device 14 associated with the given local area network18. The firewall configuration tool module 136 allows a user toefficiently and securely manage all of the firewalls and define globalpolicies that are easily applied to all firewalls at once. The firewallconfiguration tool module 136 also allows the customer to set customfirewall polices to each individual firewall. Each firewall can alsohave individual user permissions to restrict which user accounts canmodify which firewalls. This capability may provide an administrator ateach site the ability to manage their own firewall and yet restrict themfrom changing the configuration of any other firewalls in the network. Anotification can be automatically sent to a group of administratorsevery time a change is made to a firewall policy. A firewall validationtool allows a user to run a security check against their currentfirewall settings and report on which ports are open and anyvulnerabilities that are detected. The firewall configuration toolmodule 136 may also be used to view firewall log information.

The intrusion prevention configuration tool module 138 allows for thecentralized management of the intrusion prevention rules for each device14. According to various embodiments, the intrusion prevention systemfor a given local area network 18 resides on the device 14 associatedwith the given local area network 18. The intrusion preventionconfiguration tool module 138 allows a user to efficiently and securelymanage all of the intrusion prevention systems and define globalpolicies that are easily applied to all intrusion prevention systems atonce. The intrusion prevention configuration tool module 138 also allowsthe customer to set custom intrusion prevention rules to each individualintrusion prevention system. Each intrusion prevention system can alsohave individual user permissions to restrict which user accounts canmodify which intrusion prevention system. This capability may provide anadministrator at each site the ability to manage their own intrusionprevention system and yet restrict them from changing the configurationof any other intrusion prevention systems in the network. An e-mailnotification can be automatically sent to a group of administratorsevery time a change is made to an intrusion prevention systemconfiguration. The intrusion prevention configuration tool module 138may also be used to view intrusion protection log information.

The anti-virus configuration tool module 140 allows for the centralizedmanagement of the anti-virus policies for each device 14. According tovarious embodiments, the anti-virus service includes two anti-virussystems. The first anti-virus system for a given local area network 18may be embodied as an anti-virus gateway service that resides on thedevice 14 associated with the given local area network 18. The secondanti-virus system is a desktop anti-virus agent that resides on eachcustomer computer (e.g., computer 36) that requires anti-virusprotection. The anti-virus configuration tool module 140 allows a userto efficiently and securely manage both of the anti-virus systems anddefine global policies that are easily applied to all anti-virus systemsat once. The anti-virus configuration tool module 140 also allows a userto set custom anti-virus policies to each individual anti-virus gateway.Each anti-virus system can also have individual user permissions torestrict which user accounts can modify which anti-virus system. Thiscapability may provide an administrator at each site the ability tomanage their own anti-virus policies and yet restrict them from changingthe configuration of any other anti-virus systems in the network. Ane-mail notification can be automatically sent to a group ofadministrators every time a change is made to an anti-virus systemconfiguration. The anti-virus configuration tool module 140 may also beused to view anti-virus log information.

The content filtering configuration tool module 142 allows for thecentralized management of the content filtering policies for each device14. According to various embodiments, the content filtering system for agiven local area network 18 resides on the device 14 associated with thegiven local area network 18. The content filtering configuration toolmodule 142 allows a user to efficiently and securely manage all of thecontent filtering systems and define global policies that are easilyapplied to all content filtering systems at once. The content filteringconfiguration tool module 142 also allows the customer to set customcontent filtering policies to each individual content filtering system.Each content filtering system can also have individual user permissionsto restrict which user accounts can modify which content filteringsystem. This capability may provide an administrator at each site theability to manage their own content filtering system and yet restrictthem from changing the configuration of any other content filteringsystems in the network. An e-mail notification can be automatically sentto a group of administrators every time a change is made to a contentfiltering system configuration. The content filtering configuration toolmodule 142 may also be used to view content filtering log information.

The anti-spam configuration tool module 144 allows for the centralizedmanagement of the anti-spam policies for each device 14. According tovarious embodiments, the anti-spam system for a given local area network18 resides on the device 14 associated with the given local area network18. The anti-spam configuration tool module 144 allows a user toefficiently and securely manage all of the anti-spam systems and defineglobal policies that are easily applied to all anti-spam systems atonce. The anti-spam configuration tool module 144 also allows a user toset custom anti-spam policies to each individual anti-spam system. Eachanti-spam system can also have individual user permissions to restrictwhich user accounts can modify which anti-spam system. This capabilitymay provide an administrator at each site the ability to manage theirown anti-spam system and yet restrict them from changing theconfiguration of any other anti-spam systems in the network. Anotification can be automatically sent to a group of administratorsevery time a change is made to an anti-spam system configuration. Theanti-spam configuration tool module 144 may also be used to viewanti-spam log information.

The VPN configuration tool module 146 allows for the centralizedmanagement of the VPN policies for each device 14. According to variousembodiments, the VPN system for a given local area network 18 resides onthe device 14 associated with the given local area network 18. The VPNconfiguration tool module 146 allows a user to efficiently and securelymanage all of the VPN systems and define global policies that are easilyapplied to all VPN systems at once. The VPN configuration tool module146 also allows a user to set custom VPN policies to each individual VPNsystem. Each VPN system can also have individual user permissions torestrict which user accounts can modify which VPN system. Thiscapability may provide an administrator at each site the ability tomanage their own VPN system and yet restrict them from changing theconfiguration of any other VPN systems in the network. A notificationcan be automatically sent to a group of administrators every time achange is made to a VPN system configuration.

The DHCP server configuration tool module 148 allows for the centralizedmanagement of the DHCP server policies for each device 14. According tovarious embodiments, the DHCP server for a given local area network 18resides on the device 14 associated with the given local area network18. The DHCP server configuration tool module 148 allows a user toefficiently and securely manage all of the DHCP servers and defineglobal policies that are easily applied to all DHCP servers at once. TheDHCP server configuration tool module 148 also allows a user to setcustom DHCP server policies to each individual DHCP server. Each DHCPserver can also have individual user permissions to restrict which useraccounts can modify which DHCP server. This capability may provide anadministrator at each site the ability to manage their own DHCP serverand yet restrict them from changing the configuration of any other DHCPserver in the network. A notification can be automatically sent to agroup of administrators every time a change is made to a DHCP serverconfiguration.

The network monitoring configuration tool module 150 allows for thecentralized management of the network monitoring policies for eachdevice 14. According to various embodiments, the network monitoringsystem for a given local area network 18 resides on the device 14associated with the given local area network 18. The network monitoringconfiguration tool module 150 allows a user to efficiently and securelymanage all of the network monitoring systems and define global policiesthat are easily applied to all network monitoring systems at once. Thenetwork monitoring configuration tool module 150 also allows a user toset custom network monitoring policies to each individual networkmonitoring system. Each network monitoring system can also haveindividual user permissions to restrict which user accounts can modifywhich network monitoring system. This capability may provide anadministrator at each site the ability to manage their own networkmonitoring system and yet restrict them from changing the configurationof any other network monitoring systems in the network. A notificationcan be automatically sent to a group of administrators every time achange is made to a network monitoring system configuration.

The IP and network interface configuration tool module 152 allows forthe centralized management of the network configuration for each device14. The centralized management of the network configuration may include,for example, managing IP Address, IP Types (static IP, DHCP, PPPOE), IProuting, Ethernet Trunking, VLANs, and QOS configuration. According tovarious embodiments, the IP and network interface configuration toolmodule 152 allows a user to efficiently and securely manage all of thedevices 14. Each device 14 can also have individual user permissions torestrict which user accounts can modify the network configuration. Thiscapability may provide an administrator at each site the ability tomanage their own network configuration and yet restrict them fromchanging the configuration of any other devices 14 in the network. Anotification can be automatically sent to a group of administratorsevery time a change is made to a device network configuration.

The global status maps and site views module 162 allows an authorizeduser to view the real-time status of their network, devices 14, andnetwork elements that are monitored by the devices 14. This globalstatus maps and site views module 162 provides a global map of theworld, and countries and continents on this map are color coded torepresent the underlying status of any devices 14 that reside in thatregion. For example a customer may have devices 14 in the United States,Japan, and Italy. If all of devices 14 and network elements monitored bythe devices 14 are operating as expected, the countries on the map willbe shown as green. When a device 14 in Japan ceases to operate asexpected, the portion of the map representing Japan may turn red oryellow depending on the severity of the problem. The countries on themap can be selected to drill down into a lower level map. For example,the authorized user could select the United States from the world mapand be presented with a state map of the United States. The individualstates may be color coded to represent the underlying status of anydevices 14 that reside in that state. For each state selected, a list ofthe sites and devices 14 in that state may be shown. The states on themap can be selected to drill down into a lower level sub map. The lowerlevel sub map may show for example, a particular region, city, orcustomer site.

The global status maps and site views module 162 may read the latestdata polled for each device 14 and the network elements that aremonitored by them. It may also check the data against preset thresholdsthat determine what the status of each device 14 should be set to. Itmay determine the color for the lowest level map item that contains thedevice 14 and set the status appropriately. The status and color foreach higher level map is set to represent the status of the underlyingmap. The color of each map item represents the severity of the mostsevere problem of a device 14 in that region. For example, if a device14 is not operating as expected, all of the maps that have a region thatinclude this device 14 will be shown as red. If a device 14 is operatingin a manner associated with the color yellow, all of the maps that havea region that include this device 14 will be shown as yellow. A mapregion will only be shown as green if all devices 14 included in thatmap region are operating as expected.

The user administration tool module 164 allows for the centralizedmanagement of a number of functionalities. According to variousembodiments, the user administration tool module 164 allows a user toset up an account profile and manage different aspects of a user profilesuch as name, address and account name. According to variousembodiments, the user administration tool module 164 allows a user tomanage all orders for secure network access platform products andservices including a description and status of orders and allows a userto order additional items as well. According to various embodiments, theuser administration tool module 164 allows a user to manage bills,including reading current invoices, making payment, updating billinginformation, downloading previous statements, and invoices.

According to various embodiments, the user administration tool module164 allows a user to add and change user accounts, delete user accounts,change passwords, create new groups, move users into certain individualsand groups, and set permissions for those individuals and groups. Thepermissions may allow access to different portions of the web-basedmanagement portal 90. For example, a finance employee may be givenaccess to only account administration tools for billing and ordermanagement. Similarly, a technical employee may be given access to onlythe technical sections of the web-based management portal 90 and not tobilling center or order management sections. According to variousembodiments, the user administration tool module 164 may allow a user toopen trouble tickets, track the status of existing trouble tickets, andrun some of the diagnostic tools available in the secure network accessplatform environment.

According to various embodiments, the management center 12 may correlateall information received from the devices 14, including performanceinformation received from the devices 14.

Each of the modules described hereinabove may be implemented asmicrocode configured into the logic of a processor, or may beimplemented as programmable microcode stored in electrically erasableprogrammable read only memories. According to other embodiments, themodules may be implemented by software to be executed by a processor.The software may utilize any suitable algorithms, computing language(e.g., C, C++, Java, JavaScript, Visual Basic, VBScript, Delphi), and/orobject oriented techniques and may be embodied permanently ortemporarily in any type of computer, computer system, device, machine,component, physical or virtual equipment, storage medium, or propagatedsignal capable of delivering instructions. The software may be stored asa series of instructions or commands on a computer readable medium(e.g., device, disk, or propagated signal) such that when a computerreads the medium, the described functions are performed.

Although the system 10 is shown in FIG. 1 as having wired data pathways,according to various embodiments, the network elements may beinterconnected through a secure network having wired or wireless datapathways. The secure network may include any type of delivery systemcomprising a local area secure network (e.g., Ethernet), a wide areasecure network (e.g., the Internet and/or World Wide Web), a telephonesecure network, a packet-switched secure network, a radio securenetwork, a television secure network, a cable secure network, asatellite secure network, and/or any other wired or wirelesscommunications secure network configured to carry data. The securenetwork may also include additional elements, such as intermediatenodes, proxy servers, routers, switches, and adapters configured todirect and/or deliver data.

FIG. 10 illustrates various embodiments of a method of managing anetwork. According to various embodiments, the method includes receivingan activation key automatically transmitted from a device connected tothe network, automatically transmitting a configuration to the device,automatically maintaining the configuration of the device, and receivinglog information from the device. The network may be, for example, alocal area network, or a number of local area networks that rely on theInternet to communicate with one another. The device may be, forexample, the device 14 described hereinabove. The method may be utilizedto provide an automated managed service for a complex networkenvironment.

The process starts at block 200, where the management center 12 receivesan activation key automatically transmitted from a device 14 connectedto the network. Prior to the start of the process at block 200, theconfiguration of the device 14 is provisioned by an entity such as, forexample, an administrator or a managed service provider. The entity mayinitiate the provisioning of the device 14 by logging onto the web-basedmanagement portal 90 and entering a license key associated with thedevice 14. The license key may be generated by a managed serviceprovider and may be issued with the purchase of the device 14. Thelicense key may include information such as the product type of thedevice 14, the term length of the license associated with the device 14,and the seller of the license. A hash function may be used to embed theinformation in the key to obscure the data, and the data may be read bythe network manager to verify the authenticity of the license key.

Once the license key is received by the web-based management portal 90,the configuration of the device 14 may be provisioned via the web-basedmanagement portal 90. Setting the configuration of the device 14 mayinclude setting the IP address of the device 14, and setting theconfigurations for the firewall configuration, the intrusion preventionconfiguration, the anti-virus configuration, the content filteringconfiguration, the anti-spam configuration, the VPN configuration, theDHCP server configuration, the network management configuration, thenetwork interface configuration, the VLAN configuration, the QOSconfiguration and any other device configurations. Each configurationprovisioned for the device 14 may be stored in the database cluster 82.According to various embodiments, a default configuration may beselected for the device 14.

During the provisioning process, an activation key associated with thedevice 14 is generated and may be printed out or e-mailed for later use.The configuration of the device 14 and the generation of the activationkey may be completed from any location by accessing the web-basedmanagement portal 90.

Once the provisioning process is completed, the device 14 may beinstalled at the customer location. After the device 14 is connected tothe local area network 18, the device 14 automatically attempts to DHCPfor a wide area network IP address. As most Internet service providersassign IP addresses using DHCP, in most cases the device 14 willautomatically obtain its wide area network IP address. For Internetservice providers who do not use DHCP, the wide area network IP addresscan be obtained using PPPOE. Alternatively, a wide area network IPaddress may be statically assigned to the device 14.

According to various embodiments, the device 14 is configured with theDNS names of a number of the hosted servers that comprise the activationserver 84. Once the device 14 obtains a wide area network IP address,the device 14 automatically attempts to communicate with one of thehosted servers that comprise the activation server 84. When thecommunication is successful, the activation key is entered and thedevice 14 transmits the activation key to the activation server 84. Theactivation key may be entered by an installer of the device 14. Theprocess associated with block 200 may be repeated for any number ofdevices 14.

From block 200, the process advances to block 210, where the activationserver 84 automatically transmits the configuration provisioned at block200 to the device 14. After the device 14 receives its configurationfrom the activation server 84, an installer of the device 14 may beprompted to reboot the device 14. Once the device 14 reboots, the device14 automatically connects to its assigned manager server 88 and theinstallation of the device 14 is complete. The process associated withblock 210 may be repeated for any number of devices 14

From block 210, the process advances to block 220, where the managementcenter 12 automatically maintains the configuration of the device 14.According to various embodiments, a flag is set in the database serversof the database cluster 82 when a change to the configuration of thedevice 14 is entered via the web-based management portal 90. Accordingto various embodiments, the auto-provisioning manager module 100periodically polls the database cluster 82 looking for changes to theconfigurations of the devices 14 managed by the manager server 88. Whenthe auto-provisioning manager module 100 detects a device configurationthat needs to be changed, the appropriate module (e.g., firewall,intrusion prevention, anti-virus, etc.) will generate the newconfiguration for the particular service and make the necessaryconfiguration changes to the device 14 that needs to be updated. Theprocess associated with block 220 may be repeated for any number ofdevices 14.

From block 220, the process advances to block 230, where the loggermanager 86 receives log information from the device 14. As explainedpreviously, the log information received from each device 14 may becompressed and encrypted, and may represent information associated with,for example, a firewall system, an intrusion prevention system, ananti-virus system, a content filtering system, an anti-spam system, etc.residing at the particular device 14. Once the logger manager 86receives the log information, the logger manager 86 correlates the loginformation and makes it available to other elements of the managementcenter 12. The correlated information may be utilized to determine boththe real time and historical performance of the network.

FIG. 11 illustrates various embodiments of a method of managing anetwork. According to various embodiments, the method includesautomatically setting a default configuration for the device,automatically generating an activation key associated with a device, andautomatically transmitting a provisioned configuration to the deviceafter the device is connected to the network. The network may be, forexample, a local area network, or a number of local area networks thatrely on the Internet to communicate with one another. The device may be,for example, the device 14 described hereinabove. The method may beutilized to provide an automated managed service for a complex networkenvironment.

The process starts at block 240, where a default configuration is setfor the device 14. According to various embodiments, the web-basedmanagement portal 90 may provide the default configuration that servesas the basis for the device configuration. The process associated withblock 240 may be repeated for any number of devices 14.

From block 240, the process advances to block 250, where an activationkey associated with a device is automatically generated. According tovarious embodiments, the activation key may be generated by theweb-based management portal 90 during the provisioning of the device 14.The provisioning of the device 14 may include changing some of thesettings of the default configuration. The process associated with block250 may be repeated for any number of devices 14.

From block 250, the process advances to block 260, where the provisionedconfiguration is automatically transmitted to the device 14 after thedevice 14 is connected to the network. According to various embodiments,the activation server 84 may automatically transmit a provisionedconfiguration to the device 14 after the device 14 is connected to thenetwork. The process associated with block 260 may be repeated for anynumber of devices 14.

FIG. 12 illustrates various embodiments of a method of managing anetwork. According to various embodiments, the method includesperiodically polling a device connected to the network, automaticallydetermining whether a configuration of the device is current,automatically setting a new configuration for the device when theconfiguration is not current, and automatically transmitting the newconfiguration to the device. The network may be, for example, a localarea network, or a number of local area networks that rely on theInternet to communicate with one another. The device may be, forexample, the device 14 described hereinabove. The method may be utilizedto provide an automated managed service for a complex networkenvironment.

The process starts at block 270, where a device 14 connected to thenetwork is periodically polled. According to various embodiments, theperiodic polling may be conducted by the manager server 88. The processassociated with block 270 maybe repeated for any number of devices 14.

From block 270, the process advances to block 280, where it isautomatically determined whether the configuration of the device 14 iscurrent. According to various embodiments, the automatic determinationmay be made by the manager server 88. The process associated with block280 maybe repeated for any number of devices 14.

From block 280, the process advances to block 290, where a newconfiguration is automatically set for the device 14 when theconfiguration of the device 14 is not current. According to variousembodiments, the new configuration may be automatically set by themanager server 88. The process associated with block 290 maybe repeatedfor any number of devices 14.

From block 290, the process advances to block 300, where the newconfiguration is automatically transmitted to the device 14. Accordingto various embodiments, the new configuration may be automaticallytransmitted to the device 14 by the manager server 88. The processassociated with block 300 maybe repeated for any number of devices 14.

FIG. 13 illustrates various embodiments of a method of managing anetwork. According to various embodiments, the method includes receivingnetwork traffic information from a device connected to the network,automatically correlating the information, and automatically determiningnetwork performance based on the information. The network may be, forexample, a local area network, or a number of local area networks thatrely on the Internet to communicate with one another. The device may be,for example, the device 14 described hereinabove. The method may beutilized to provide an automated managed service for a complex networkenvironment.

The process starts at block 310, where network traffic information isreceived from a device 14 connected to the network. The network trafficinformation may represent information that travels from one device 14 toanother device 14. According to various embodiments, the network trafficinformation is captured at the device 14 and may include, for example,source/destination IP address, protocol, sequence number andsource/destination port. According to various embodiments, the networktraffic information transmitted from the device 14 is received by themanager server 88. The process associated with block 310 maybe repeatedfor any number of devices 14.

From block 310, the process advances to block 320, where the informationis correlated. According to various embodiments the information may becorrelated with network traffic information transmitted from any numberof devices 14. According to various embodiments, the correlation of theinformation is conducted by the manager server 88.

From block 320, the process advances to block 330, where the networkperformance is determined based on the information. According to variousembodiments, the network performance determination is made by themanager server 88. For example, assume that ten VOIP packets leave afirst device 14 destined for a second device 14. As explainedpreviously, the first device 14 may record the exact time each VOIPpacket leaves, and the source/destination IP Address, protocol, sequencenumber and source/destination port for each VOIP packet. The firstdevice 14 may then send this information to the manager server 88.Further assume that these ten VOIP packets travel over the Internet 16,the third and eighth VOIP packets are lost, dropped by a router that isover-utilized. The second device 14 will only see eight VOIP packetsarrive, not knowing that the third and eighth packets were lost. Thesecond device 14 may then record the exact time each packet is receivedand the source/destination IP Address, protocol, sequence number, andsource/destination port for each received packet. The second device 14may then send this information to the manager server 88. The managerserver 88 may then examine the information transmitted from the firstand second devices 12, 14 and determine, based on the IP Address,protocol, sequence number, and source/destination port that the packetsrecorded by both the first and second devices 14 are part of the samepacket stream. Armed with this information, the manager server 88 maythen determine the exact latency and jitter of each packet, and thepacket loss (20% in this example) on a real application data stream. Theprocess associated with block 330 may be repeated for network trafficinformation received from any number of devices 14.

FIG. 14 illustrates various embodiments of a method of managing anetwork. According to various embodiments, the method includes receivingcredentials associated with a remote access user, automaticallyvalidating the credentials, automatically determining which devicesconnected to the network the remote access user is authorized to connectto, and automatically transmitting to a remote access client a list ofdevices the remote access user is authorized to connect to. The networkmay be, for example, a local area network, or a number of local areanetworks that rely on the Internet to communicate with one another. Thedevice may be, for example, the device 14 described hereinabove. Themethod may be utilized to provide an automated managed service for acomplex network environment.

The process starts at block 340, where credentials associated with aremote access user is received from a remote access client. The remoteaccess user is a user who is located at a site that does not have adevice 14 associated therewith. According to various embodiments, thecredentials are received by the web-based management portal 90. Theremote access client may be implemented as a software client installedon a personal computer such as, for example, a desktop computer or alaptop computer. According to various embodiments, when the softwareclient is launched, it requires the remote access user to input theircredentials (e.g., company ID, username, password). After the remoteaccess user enters the credentials, the software client may make asecure socket layer connection to the web-based management portal 90.The process associated with block 340 may be repeated for any number ofremote access users.

From block 340, the process advances to block 350, where the credentialsare automatically validated. According to various embodiments, thecredentials may be automatically validated by the web-based managementportal 90. If the credentials are not valid, the web-based managementportal 90 may return an error message to the remote access client whichmay then prompt the remote access user to reenter their credentials. Theprocess associated with block 350 may be repeated for any number ofremote access users.

From block 350, the process advance to block 360, where it is determinedwhich devices 14 connected to the network the remote access user isauthorized to connect to. According to various embodiments, thedetermination is made by the web-based management portal 90. The processassociated with block 360 may be repeated for any number of remoteaccess users.

From block 360, the process advances to block 370, where a list of thedevices 14 is automatically transmitted to a remote access clientassociated with the remote access user. According to variousembodiments, the list is automatically transmitted from the web-basedmanagement portal 90. Once the list is presented to the remote accessuser and a particular device 14 is selected, an encrypted tunnel may beestablished between the personal computer and the selected device 14.The process associated with block 370 may be repeated for any number ofremote access users.

Each of the methods described above may be performed by the system 10 ofFIG. 1 or by any suitable type of hardware (e.g., device, computer,computer system, equipment, component); software (e.g., program,application, instruction set, code); storage medium (e.g., disk, device,propagated signal); or combination thereof.

While several embodiments of the invention have been described, itshould be apparent, however, that various modifications, alterations andadaptations to those embodiments may occur to persons skilled in the artwith the attainment of some or all of the advantages of the disclosedinvention. For example, the system 10 may further include a plurality ofgraphical user interfaces to facilitate the management of the network.The graphical user interfaces may be presented through an interactivecomputer screen to solicit information from and present information to auser in conjunction with the described systems and methods. Thegraphical user interfaces may be presented through a client systemincluding a personal computer running a browser application and havingvarious input/output devices (e.g., keyboard, mouse, touch screen, etc.)for receiving user input. It is therefore intended to cover all suchmodifications, alterations and adaptations without departing from thescope and spirit of the disclosed invention as defined by the appendedclaims.

What is claimed is:
 1. A method for providing a managed network,comprising: in a management center, setting at least one configurationto be transmitted to a first network management device, the at least oneconfiguration to cause the first network management device to provide acorresponding at least one managed network service for a first networkafter the at least one configuration is transmitted to and received bythe first network management device, wherein setting the at least oneconfiguration comprises setting: a quality of service (QOS)configuration to cause the first network management device to enableselective transmission of information by the first network managementdevice based on a relative metric of the information; and transmittingthe at least one configuration to the first network management devicevia a second network in response to receiving an activation key at themanagement center, the activation key transmitted from the first networkmanagement device to the management center via the second network afterthe first network management device is connected to the second networkat a first location.
 2. The method of claim 1, wherein setting at leastone configuration of a first network management device comprisesgenerating the activation key.
 3. The method of claim 1, wherein settingat least one configuration of a first network management devicecomprises setting at least one of: an anti-virus configuration to causethe first network management device to provide an anti-virus service; acontent filtering configuration to cause the first network managementdevice to provide a content filtering service; an anti-spamconfiguration to cause the first network management device to provide ananti-spam service; a virtual private network (VPN) configuration tocause the first network management device to provide a VPN service, theVPN service to enable the first network management device to communicatewith at least one of: a second network management device located at asecond location, a remote access client, and the management center; aninternet protocol (IP) routing and network interface configuration tocause the first network management device to provide an IP routing andnetwork interface service; and a device monitoring configuration tocause the first network management device to provide a device monitoringservice, the device monitoring service to monitor one or more networkelements, the one or more network elements connected to the firstnetwork and external to the first network management device.
 4. Themethod of claim 1, comprising updating the at least one configurationwithin the first network management device.
 5. The method of claim 4,wherein updating the at least one configuration within the first networkmanagement device comprises: periodically polling the first networkmanagement device; determining whether the at least one configuration ofthe first network management device is current; setting a newconfiguration for each of the at least one configuration that is notcurrent; and transmitting the new configurations to the first networkmanagement device.
 6. The method of claim 1, comprising receiving loginformation from the first network management device, the loginformation associated with at least one managed network service.
 7. Themethod of claim 6, comprising: correlating the received log information;and determining one or more of a real time performance and a historicalperformance of the first network based on the correlated loginformation.
 8. The method of claim 1, comprising: receiving performanceinformation from the first network management device; correlating thereceived performance information; and determining one or more of a realtime performance and a historical performance of the first network basedon the correlated performance information.
 9. The method of claim 8,wherein receiving performance information from the first networkmanagement device comprises receiving at least one of the following: aCPU utilization value; a memory utilization; and a network interfacebandwidth utilization value.
 10. The method of claim 8, whereinreceiving performance information from the first network managementdevice comprises receiving performance information gathered from one ormore network elements connected to the first network and external to thefirst network management device.
 11. The method of claim 10, whereinreceiving performance information gathered from the one or more networkelements comprises receiving at least one of the following: areachability value; a latency value; and a CPU utilization value.
 12. Asystem for managing a network, the system comprising: a first networkmanagement device comprising a processor and a memory, the first networkmanagement device to provide at least one managed network service for afirst network after a corresponding at least one configuration istransmitted to and received by the first network management device; anda management center to communicate with the first network managementdevice via a second network, the management center to: set the least oneconfiguration to be transmitted to a first network management device,wherein the at least one configuration comprises: a quality of service(QOS) configuration to cause the first network management device toenable selective transmission of information by the first networkmanagement device based on a relative metric of the information; andtransmit the at least one configuration to the first network managementdevice via the second network in response to receiving an activation keyat the management center, the activation key transmitted from the firstnetwork management device to the management center via the secondnetwork after the first network management device is connected to thesecond network at a first location.
 13. The system of claim 12, whereinthe at least one configuration comprises at least one of: an anti-virusconfiguration to cause the first network management device to provide ananti-virus service; a content filtering configuration to cause the firstnetwork management device to provide a content filtering service; ananti-spam configuration to cause the first network management device toprovide an anti-spam service; a virtual private network (VPN)configuration to cause the first network management device to provide aVPN service, the VPN service to enable the first network managementdevice to communicate with at least one of: a second network managementdevice located at a second location, a remote access client, and themanagement center; an internet protocol (IP) routing and networkinterface configuration to cause the first network management device toprovide an IP routing and network interface service; and a devicemonitoring configuration to cause the first network management device toprovide a device monitoring service, the device monitoring service tomonitor one or more network elements, the one or more network elementsconnected to the first network and external to the first networkmanagement device.
 14. The system of claim 12, wherein the managementcenter is to update the at least one configuration within the firstnetwork management device.
 15. The system of claim 14, wherein themanagement center is to: periodically poll the first network managementdevice; determine whether the at least one configuration of the firstnetwork management device is current; set a new configuration for eachof the at least one configuration that is not current; and transmit thenew configurations to the first network management device.
 16. Thesystem of claim 12, wherein the management center is to receive loginformation from the first network management device, the loginformation associated with the at least one managed network service.17. The system of claim 16, wherein the management center is to:correlate the received log information; and determine one or more of areal time performance and a historical performance of the first networkbased on the correlated log information.
 18. The system of claim 12,wherein the management center is to: receive performance informationfrom the first network management device; correlate the receivedperformance information; and determine one or more of a real timeperformance and a historical performance of the first network based onthe correlated information.
 19. The system of claim 18, whereinperformance information comprises at least one of the following: a CPUutilization value; a memory utilization value; and a network interfacebandwidth utilization value.
 20. The system of claim 18, wherein theperformance information comprises at least one of the following: areachability value; a latency value; and a CPU utilization value.
 21. Amethod of managing a network, comprising: receiving network trafficinformation from a network management device connected to the network;correlating the received information; and determining a performance ofthe network based on the correlated information.
 22. The method of claim21, wherein determining a performance of the network comprisesdetermining packet loss.
 23. The method of claim 21, wherein determininga performance of the network comprises determining latency.
 24. Themethod of claim 21, wherein determining a performance of the networkcomprises determining jitter.